diff --git a/Dockerfile b/Dockerfile
index c8c236fd2..7e0fdc48a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,7 +1,7 @@
 FROM ruby:3.2-bookworm
 MAINTAINER SciNote <info@scinote.net>
 
-ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.3/tika-app-2.9.3.jar"
+ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.4/tika-app-2.9.4.jar"
 ENV TIKA_PATH=/usr/local/bin/tika-app.jar
 
 # additional dependecies
diff --git a/Dockerfile.production b/Dockerfile.production
index 31118f38c..630f62bcf 100644
--- a/Dockerfile.production
+++ b/Dockerfile.production
@@ -45,7 +45,7 @@ RUN \
 FROM ruby:3.2-bookworm AS runner
 MAINTAINER SciNote <info@scinote.net>
 
-ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.3/tika-app-2.9.3.jar"
+ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.4/tika-app-2.9.4.jar"
 ENV TIKA_PATH=/usr/local/bin/tika-app.jar
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
diff --git a/app/controllers/wopi_controller.rb b/app/controllers/wopi_controller.rb
index 12479671c..8882a4521 100644
--- a/app/controllers/wopi_controller.rb
+++ b/app/controllers/wopi_controller.rb
@@ -2,8 +2,8 @@ class WopiController < ActionController::Base
   include WopiUtil
 
   skip_before_action :verify_authenticity_token
-  before_action :load_vars, :authenticate_user_from_token!
   before_action :verify_proof!
+  before_action :load_vars, :authenticate_user_from_token!
 
   # Only used for checkfileinfo
   def file_get_endpoint
@@ -25,11 +25,11 @@ class WopiController < ActionController::Base
 
   def post_file_endpoint
     override = request.headers['X-WOPI-Override']
+    return render body: nil, status: :unauthorized if !@can_write && %w(LOCK UNLOCK REFRESH_LOCK).include?(override)
+
     case override
     when 'GET_LOCK'
       get_lock
-    when 'PUT_RELATIVE'
-      put_relative
     when 'LOCK'
       old_lock = request.headers['X-WOPI-OldLock']
       if old_lock.nil?
@@ -41,7 +41,7 @@ class WopiController < ActionController::Base
       unlock
     when 'REFRESH_LOCK'
       refresh_lock
-    when 'GET_SHARE_URL'
+    when 'GET_SHARE_URL', 'PUT_RELATIVE'
       render body: nil, status: :not_implemented
     else
       render body: nil, status: :not_found
@@ -51,6 +51,8 @@ class WopiController < ActionController::Base
   # Only used for putfile
   def file_contents_post_endpoint
     logger.warn 'WOPI: post_file_contents called'
+    return render body: nil, status: :unauthorized unless @can_write
+
     put_file
   end
 
@@ -95,10 +97,6 @@ class WopiController < ActionController::Base
     render json: msg
   end
 
-  def put_relative
-    render body: nil, status: :not_implemented
-  end
-
   def lock
     lock = request.headers['X-WOPI-Lock']
     logger.warn 'WOPI: lock; ' + lock.to_s
diff --git a/spec/controllers/wopi_controller_spec.rb b/spec/controllers/wopi_controller_spec.rb
index 6a497b37c..97e679301 100644
--- a/spec/controllers/wopi_controller_spec.rb
+++ b/spec/controllers/wopi_controller_spec.rb
@@ -17,7 +17,7 @@ describe WopiController, type: :controller do
   end
 
 
-  let(:protocol_in_repository) { create :protocol, :in_public_repository, team: team, added_by: user }
+  let(:protocol_in_repository) { create :protocol, :in_repository_draft, team: team, added_by: user }
   let(:step_in_repository) { create :step, protocol: protocol_in_repository, user: user }
 
   let!(:asset) { create :asset }